Hack demonstrates the growing vulnerability of consumer devices.

If you use a Samsung "Smart TV" that's connected to the Internet, there's a good chance Luigi Auriemma can hack into the device and access files stored on connected USB drives.

The researcher with Malta-based security firm ReVuln says he has uncovered a vulnerability in most Samsung models that makes it easy for him to locate their IP address on the Internet. From there, he can remotely access the device and exercise the same control someone in the same room would have. That includes gaining root access and installing malicious software. The attack exploits bugs in features that allow end users to install Skype, Pandora, and other types of apps. The TVs can be controlled using smartphone and tablet apps and in some cases by voice commands.

"At this point the attacker has complete control over the device," he wrote in an e-mail to Ars. "So we are talking about applying custom firmwares, spying on the victim if camera and microphone are available, stealing any credential and account stored... on the device, using his own certificates when accessing https websites, and tracking any activity of the victim (movies, photos, music, and websites seen) and so on. You become the TV."

Auriemma declined to disclose technical details to prevent others from carrying out malicious attacks without paying for the research. ReVuln is primarily a research firm that discovers and sells zero-day exploits in a wide range of products.

It's not the first time Auriemma has hacked the Internet-facing controls of a Samsung TV. In April he disclosed a bug in a Samsung D6000 model belonging to his brother. It allowed him to send it into an endless restart mode that persisted even after unplugging the device and turning it back on. He said at the time he wouldn't be surprised if he could carry out more serious attacks against the device even when he didn't have access to the local network it was connected to.

Auriemma's research raises the possibility that owners of Internet-connected consumer devices may soon be exposed to the same kinds of security threats confronting users of Windows and Mac computers. Air-conditioning units, lighting systems, and TVs that offer networking features typically use bare-bones operating systems that don't include the kinds of exploit defenses Microsoft and Apple have spent years developing.

At the moment, the amount of damage Auriemma can do with his attack is modest when compared with the sophisticated exploits carried out by trojans used to siphon money out of bank accounts. Still, there's nothing stopping him from plundering the contents of USB sticks attached to a vulnerable TV. And with more work, it's possible he could develop firmware that monitors the programs, cameras, or movies it displays.

"A common device like a TV can be used for monitoring people and stealing information," he wrote. "In this situation it doesn't matter if the TV is reachable by the Internet or not because the attacker has a specific selected target: a person at home or a company."

A video demonstration of the hack follows:

ReVuln - The TV is watching you

Update:

In the event a TV is behind a router that uses network address translation, Auriemma's attack won't work at the moment. But with more work, he says it could be possible to use exploits based on IPv6, the next-generation Internet routing protocol, to bypass that protection. He also said readers shouldn't discount the ability to carry out the attack on local networks, since TVs may be plugged into office networks.

Several readers were confused by Auriemma's comment that it doesn't matter if the TV is reachable on the Internet. He said the threat that a TV can be accessed through a network, either by someone cracking a weak Wi-Fi password or someone who has limited network privileges, are two examples of the vulnerability being exploited even if there's no Internet access.

Two days after this article was published Samsung representatives issued the following statement: "We have discovered that only in extremely unusual circumstances a connectivity issue arises between Samsung Smart TVs released in 2011 and other connected devices. We assure our customers that our Smart TVs are safe to use. We will release a previously scheduled software patch in January 2013 to further strengthen Smart TV security. We recommend our customers to use encrypted wireless access points, when using connected devices."

I have a (non Samsung) smart[ish] TV and I have often worried if it can be a bridge into my network... it would be a great way to exfiltrate files... have a persistent threat on your network that is always on... you don't know what your TV is doing when you're not watching it (word play intended)

That said, I see me running even more pro-active defensive measures for my network than I do now for when/if I purchase one of these higher end pieces of media(I currently do everything through my computers and smart phones, no game systems, printers, ETC).

Is this the sort of "hack" that requires the Samsung TV to be in a DMZ?

I suspect so, though maybe there's some upnp stuff that might also make it work through any NAT setup. I'm really skeptical about the 'can locate your IP on the internet' - it sounds far too much like those 'windows support' scammers.

Agree with other commenters. Dan G, did you ask whether this attack only applies to devices with exposed external IP addresses, or does it also affect NAT, which is the much more likely scenario for a home appliance?

I think the bit about internet access not mattering (in the last paragraph) implies a local attack (either LAN or direct physical insertion).

Unless you are forwarding packets to the TV or your router/firewall has been compromised it really should not be able to reach a NAT device. Your router/firewall should be denying any packets that try to come in without a previous request, unless of course you have it configured to accept specific ones. Also "should" as in "you better make sure it is set up that way".

"In this situation it doesn't matter if the TV is reachable by the Internet or not because the attacker has a specific selected target: a person at home or a company."

Not sure I understand this. How would the hacker connect to the TV to initiate the exploit if its not accessible?

I expect he's talking about the "insider threat" here. For example: The successful CEO decides that he wants the bestest smart TV on the market for his own office. After he gets it installed, a guy who has become embittered about his employment walks into the CEO's office one evening, plugs a USB stick into the TV, and programs it to store and/or transmit everything that goes on in the room. Later, this disgruntled employee quits and then props up his own business by stealing business opportunities and patentable ideas gleaned from the data gathered through that TV.

Now, obviously, this isn't your "typical" scenario... but it is exactly the kind of scenario that goes through the minds of security personnel, when they're tasked with performing a risk assessment of any given piece of technology. This vulnerability is really bad for Samsung's marketability to enterprise customers.

As for home users, try this on for size... your teenage son's best friend is over playing video games or something, and happens to get a moment alone in the living room. He has the hots for your wife and/or daughter, so he promptly whips out his USB stick...

Why the heck do these things allow incoming traffic at all? Since most of these things are based on Linux why don't they have iptables/ipfilter/snort or something installed and configured to allow only outbound traffic or at most perhaps incoming traffic only from samsung.com addresses?

I personally am not too worried as I have a decent setup at home, but I can see my Dad plugging his TV directly into his cable modem and getting owned by some kid in the neighborhood. Of course he'll end up calling me for help!

1. It won't work unless you have port forwarded all the relevant ports to your TV.2. How do I get that windows remote control app for my TV? I have the android one but being able to control from my PC would be great.

Why the heck do these things allow incoming traffic at all? Since most of these things are based on Linux why don't they have iptables/ipfilter/snort or something installed and configured to allow only outbound traffic or at most perhaps incoming traffic only from samsung.com addresses?

I personally am not too worried as I have a decent setup at home, but I can see my Dad plugging his TV directly into his cable modem and getting owned by some kid in the neighborhood. Of course he'll end up calling me for help!

As an owner of a Sony smart TV I can tell you: Because the people that write the software for these are either incompetent or unable to convince management that software shouldn't be awful.

I ended up buying a Roku simply because the TV's software was too slow, or the interface was too obnoxious.

Any idea if this is samsung specific or other vendors like LG and Sony are affected too?

I read a couple of articles that stated pretty much any internet connected tv was at risk. One of them was strictly about a hacker accessing the tv and apps and pulling credit card and personal info. Articles like this make me feel much better the company I work for refuses to use the cloud. If they can't make our TV secure is our company and personal info really that secure?

Agree with other commenters. Dan G, did you ask whether this attack only applies to devices with exposed external IP addresses, or does it also affect NAT, which is the much more likely scenario for a home appliance?

I think the bit about internet access not mattering (in the last paragraph) implies a local attack (either LAN or direct physical insertion).

I checked back with Auriemma he said Internet-based attacks won't work against TVs that are behind a router, at least at the moment. He said with additional work, the exploit might be able to use IPv6 to bypass this protection. The question about NAT is one I should have asked initially. Apologies for that.

The story has been updated to include this information, and also to clarify what Auriemma meant by it not mattering if the TV is reachable by the Internet. You're correct that he was referring to an insider threat.

It seems to me like it could work against any TV behind a NAT if there's another already infected device on the network, like that old Windows XP machine that's got 20 viruses on it that so many homes have lying around. It wouldn't be a big deal to add an attack based on this to that malware, so that once it's inside the network and sitting on a PC it just looks on the LAN (where the TV has unfettered access) and goes to town.

At risk of sounding like a Luddite, I really don't think that every device needs Internet connectivity.

I'm of the opinion that my TV should be a monitor only and the stuff connected to it may or may not need the Internet. Luddites unite!

I agree, and my HDTV is actually old enough to not have any Internet connectivity, but in practice this does not eliminate the problem, it only moves it. My "dumb" TV is connected to a Roku box that is fully Internet-capable and can be controlled by a Roku app on my phone (which actually has some advantages over the remote such as having a full keyboard for searches), and it's also connected to my Blu-Ray player with wifi, Ethernet, and its own decent complement of networked apps. The Roku doesn't even have an off switch.

We are moving to a future where all entertainment devices come with network connectivity simply to keep up with competitors' feature bullet lists, which means the TV is not the real problem: the rest of your living room is. So while you might win the battle of locating a non-networked TV, the new home AV components you buy may leave you with multiple devices with multiple sets of network apps and vulnerabilities outside your TV...and inside your network.

At risk of sounding like a Luddite, I really don't think that every device needs Internet connectivity.

True, but in 20 years don't be surprised if your TV signal comes EXCLUSIVELY via network. Already, in my house, we've cut cable and TV comes via Netflix or Apple TV. The next generation is not going to tolerate the broadcast television model at all.

Agree with other commenters. Dan G, did you ask whether this attack only applies to devices with exposed external IP addresses, or does it also affect NAT, which is the much more likely scenario for a home appliance?

I think the bit about internet access not mattering (in the last paragraph) implies a local attack (either LAN or direct physical insertion).

I checked back with Auriemma he said Internet-based attacks won't work against TVs that are behind a router, at least at the moment. He said with additional work, the exploit might be able to use IPv6 to bypass this protection. The question about NAT is one I should have asked initially. Apologies for that.

The story has been updated to include this information, and also to clarify what Auriemma meant by it not mattering if the TV is reachable by the Internet. You're correct that he was referring to an insider threat.

Probably should change the heading to be "How a network-connected TV...." then. The current one still sounds like any TV connected to the net can be compromised.

The thing is very little or nothing will stop the Government from watching you just like the old 1984 Orwell Novel.The Government builds their secret backdoor into the gear you buy and they have the power.Not trying to be a paranoid person but just a man who wants some privacy.I personally have no intentions of ever buying a TV that you have to connect to the Internet.Especially one that has Webcam mounted in TV.

I checked back with Auriemma he said Internet-based attacks won't work against TVs that are behind a router, at least at the moment. He said with additional work, the exploit might be able to use IPv6 to bypass this protection. The question about NAT is one I should have asked initially. Apologies for that.

It really has nothing to do with NAT. The fact is every home router is both a firewall and a NAT device in one, you can have one without the other, or both in the case of SOHO routers. IPv6 won't help, as that is just a different form of NAT, or the firewall is in a transparent mode. Either way the firewall will deny unsolicited inbound access to something on the secured side, regardless of NATv4 NATv6 or no NAT is involved.

Wait, it doesn't work if the TV is connected to the internet via NAT translation? So it doesn't work... on nearly 100% of these TVs, the ones not connected to any network and the ones connected via NAT. That's useless.

I checked back with Auriemma he said Internet-based attacks won't work against TVs that are behind a router, at least at the moment. He said with additional work, the exploit might be able to use IPv6 to bypass this protection. The question about NAT is one I should have asked initially. Apologies for that.

It really has nothing to do with NAT. The fact is every home router is both a firewall and a NAT device in one, you can have one without the other, or both in the case of SOHO routers. IPv6 won't help, as that is just a different form of NAT, or the firewall is in a transparent mode. Either way the firewall will deny unsolicited inbound access to something on the secured side, regardless of NATv4 NATv6 or no NAT is involved.

I am confused by the hacker's statement about IPv6 to be honest. I don't see how IPv6 could make a device behind a Firewall/Router any more accessible if its not already accessible with IPv4. Furthermore do these devices even support IPv6 lets be honest most home modems and routers don't even support it.

Furthermore any attack that involves IPv6 could only be used if your ISP supports IPv6 and assigns you a IPv6 address, the majority of internet users don't have one, are and not even scheduled to get one for years ( despite the ISPs rolling them out ) people are just not getting the hardware that actually supports it.